You Shall Not Pass(words)

A red teamer’s perspective on what is wrong with passwords, and how to make it right

“Your passwords are weak” is one of the most common observations that we find ourselves making in our red teaming work. It is often surprising to organisations. Our clients’ passwords meet their formal complexity requirements. However, a password compliant to password policies is not necessarily a strong password. Password policies are usually designed with respect to the available compliance features in Windows. Some of these, like the 20 years old Windows’ Password Complexity, are quite updated.

In the course of one red team engagement our offensive security professionals can encounter hundreds of weak passwords. Weak passwords allow hackers to infiltrate your network and to move laterally in your environment. In this article, we draw from our offensive security experience to illustrate common misconception about passwords, and what companies should do to enforce stronger ones.

Beyond a lengthy and repetitive approach

In 2017 the NIST Special Publication SP800-63-3 introduced an interesting concept, that complexity requirements and expiry dates are not necessary, and not effective, for memorised secrets like passwords.

This was published at a time where most security control guidelines still required corporate users to use complex passwords and change them periodically, sometimes as often as every month. Instead, NIST encouraged a new approach including using multi-factor authentication solutions wherever possible and checking passwords against dictionary lists, among others.

Microsoft has since implemented some of these suggestions within the Windows platform. From our experience, however, most organisations in Hong Kong and Asia Pacific still lack a full understanding of some of these technologies to apply them effectively. The first misconception is that short passwords and PINs are weak. This is an over-simplification of how security works. The strength of a password should be assessed alongside its potential exploitation techniques.

Length does not always matter

One example is the use of Windows PINs compared to Windows domain passwords. Their requirements should be different because their potential attack vectors are as well. While hashes of Windows passwords can be downloaded and bruteforced offline, PINs cannot. Also, PINs have a much smaller attack surface compared to a domain password.

Windows domain passwords are one of the most common ways to gain access to a target network and its resources in a Windows environment. Domain passwords must be complex because attackers can abuse each one of them at different points of a corporate network. For instance, during red team engagements we can typically conduct password spraying with a standard set of user passwords within the local network and sometimes against remote applications, such as Outlook Web Access. We can also leverage Windows functionalities to obtain password hashes, via Kerberoasting or LLMNR poisoning for instance, which we can then to decrypt by cracking them offline. Strong and complex passwords would be much harder, if not impossible, to crack and would be harder to guess in a password spraying attack.

On the contrary, a Windows PIN can only be used on a single Windows machine, and an attacker can be further slowed down by introducing a delay between failed attempts.

Does a long, complex PIN make sense in this case? A 12-character, complex Windows PIN which can only be entered (and therefore attempted by the attacker) on a physical machine is unnecessary. From a red teamer point of view, a 6- to 8-character PIN is sufficient for a Windows PIN environment.

While it takes only a few hours to bruteforce a hashed 8-character Windows password offline, it takes much longer to test potential PINs on premises on a Windows machine. Also, bruteforcing PIN is not practical because the TPM Anti-Hammering protection locks a PIN attempts for 24 hours after 32 wrong attempts. This is summarised in the graph below.

Therefore a Windows PIN, or any PIN tied to hardware devices like iOS devices:

Does not require length and complexity

Does not require frequent expiry dates

Bypassing passwords

There are other authentication solutions other than passwords and PINs. Some organisations use smartcards, which seem like an elegant solution. In effect, the “PIN” that users enter would unlock the content of the smartcard, which can subsequently be used to connect to domain resources.

The problem often lies with the implementation of these solutions. In most situation, the smartcard stores a NTLM hash that is unlocked by the user’s PIN. This NTLM hash is randomly generated and complex enough for it not to be cracked into cleartext format. However, the system never changes this NTLM hash which can therefore be used directly to authenticate to Windows domain resources via pass-the-hash. If this NTLM hash is compromised, it would allow persistent access by attackers for a long time.

For us red teamers, one way to get these hashes is via Net-NTLMv1 hashes that some organisations still use. NetLMv1 can be directly converted into NTLM, which can then be used for pass-the-hash activities. This is because Net-NTLMv1 relies on 3 separate DES encryptions, which can be cracked separately back into NTLM format due to their weak encryption algorithm.

Another solution to move beyond password authentication is Windows Hello for Business. This Microsoft solution would supposedly allow businesses to move into a password-less environment. In a nutshell, a Windows Hello for Business PIN or biometric authentication would unlock the credentials (stored as certificates or keys) within the PC. We have yet to see widespread adoption Windows Hello for Business though.

Trust but verify

For those of us that must still rely on windows domain passwords, an important addition would be to introduce a password checking process. Most organisations do this via complexity requirements built-in to Windows.

As our reader may have guessed by now, complexity requirements are not enough. Consider the following “strong” passwords that meets Windows complexity policies:

  • P@ssw0rd
  • P@$$w0rd
  • Username!July
  • July!2020

From an IT security controls or compliance person, these are good passwords that meet policy requirements. From a red teamer perspective, these are all very weak passwords.

From our experience, at least 70% of all passwords within an organisation are similarly weak passwords that nonetheless comply with password policies.

The problem could be addressed by increasing the complexity required by password policies. However, this would likely increase users’ frustration while not necessarily making life harder for an attacker.

To ensure that systems are secured with stronger passwords, organisations need a solution that takes into considerations real world scenarios. Consider a password audit exercise, which checks your users’ new and existing passwords against a list of:  

  • Known passwords from leaked data breaches
  • Most commonly used passwords
  • Passwords that contain references to the organisation, username, etc.

Fortunately for Windows users, such a functionality is provided with an Azure AD subscription.

For companies that do not use Azure AD, DarkLab also offers a solution with similar functionalities that relies on password blacklists from our Threat Intelligence practice.

Whatever solutions you choose, remember the key concepts we went through:

  • Longer is not always better
  • PINs are better than passwords
  • Passwordless solutions must be correctly implemented
  • Perform a password audit by checking your passwords against a blacklist, without adding unnecessary complexity!